SIGNALING SYSTEM 7 (SS7) - SECURITY REPORT.pdf

(1468 KB) Pobierz
SIGNALING SYSTEM 7 (SS7)
SECURITY REPORT
Page 1
SS7
-
SECURITY REPORT
CONTENTS
1. Introduction
2. Summary
3. Research methodology
Preconditions for attacks
An attacker’s profile
Resources required
4. Research overview
4.1. IMSI disclosure
4.2. Discovering a subscriber’s location
4.3 Disrupting a subscriber’s availability
4.4. Incoming SMS interception
4.5. USSD request manipulation.
4.6. Subscriber Profile Manipulation in VLR
4.7. Intercepting outgoing calls
4.8. Redirecting incoming calls
4.9. MSC denial of service for incoming calls
5. SS7attacks background and experience
6. Predictions and solutions
7. Sources
8. Abbreviations
3
4
5
5
5
5
6
6
6
7
8
8
9
10
10
11
11
13
14
15
Page 2
SS7
-
SECURITY REPORT
1. INTRODUCTION
Nowadays mobile networks are the most dynamic part of critical communication
infrastructures and the key instrument used to perform daily activities ranging from
voice and text messaging to providing signaling for emergency services and critical
infrastructure.
Regardless of what security assurances mobile network operators provide, there is
plenty of hard evidence that in fact shows how vulnerable these systems are. Lately, it
seems like a common occurrence when private telephone conversations or pictures
of government officials, celebrities and business leaders appear on the Internet, even
though these individuals usually take extra precautions when it comes to their personal
privacy and safety.
In many instances, a common misconception is that security breaches like these are
very complicated and expensive to execute and can only be accomplished by high-
ranking security intelligence agencies, organized crime or the most sophisticated
hackers. This perception is understandable, since most people are trained to view a
mobile communication network as a system made up of only the most cutting edge
technologies. However, in reality a telecommunications network is a complex system
built on subsystems that each have different technological levels, with the security of
the whole network usually defined by the security level of the weakest link.
In particular, the process of placing voice calls in modern mobile networks is still based
on SS7 technology which dates back to the 1970s. At that time, safety protocols involved
physical security of hosts and communication channels, making it impossible to obtain
access to an SS7 network through a remote unauthorized host. In the early 21st century,
a set of signaling transport protocols called SIGTRAN were developed. SIGTRAN is an
extension to SS7 that allows the use of IP networks to transfer messages [1]. However,
even with these new specifications, security vulnerabilities within SS7 protocols
remained. As a result, an intruder is able to send, intercept and alter SS7 messages by
executing various attacks against mobile networks and their subscribers.
The findings in this report were gathered by the experts at Positive Technologies during
2013 and 2014, based on a series of in-depth tests conducted at several large mobile
operator sites. These finding were then validated against known vulnerabilities and
features of an SS7 network.
Page 3
SS7
-
SECURITY REPORT
An intruder doesn’t need
sophisticated equipment.
Positive Technologies used a
popular Linux based computer
and a publicly available SDK for
generating SS7 packets.
2. KEY FINDINGS
Vulnerabilities in SS7 based mobile networks allow an intruder with basic skills
to perform dangerous attacks that may lead to direct subscriber financial loss,
confidential data leakage or disruption of communication services. During network
security testing, Positive Technologies experts managed to perform such attacks as
discovering a subscriber’s location, disrupting a subscriber’s service, SMS interception,
Unstructured Supplementary Service Data (USSD) forgery requests (and transfer
of funds as a result of this attack), voice call redirection, conversation tapping and
disrupting the availability of a mobile switch.
The testing revealed that even the top 10 telecommunications companies are vulnerable
to these attacks. Moreover, there are reported cases of such attacks internationally,
including discovering a subscriber’s location and eavesdropping on conversations.
Common characteristics of these attacks:
+
An intruder doesn’t need sophisticated equipment. Positive Technologies used a
popular Linux based computer and a publicly available SDK for generating SS7 packets.
+
After performing an initial attack using SS7 commands, the intruder is able to execute
additional attacks using the same methods. For instance, if an intruder manages to
determine a subscriber’s location, only one further step is required to intercept SMS
messages, commit fraud, etc.
+
Attacks are based on legitimate SS7 messages. Therefore, you cannot simply filter
messages as it may have a negative impact on the overall quality of service.
Page 4
SS7
-
SECURITY REPORT
A phone network node was once
a “black box”, but now nodes
are built on popular hardware
and software platforms (Linux,
Solaris, and VxWorks).
3. RESEARCH METHODOLOGY
Prerequisites for an attack
Most SS7 network attacks are based on the main principle of cellular
telecommunication networks: subscriber mobility. First, for the a to reach a subscriber,
data about the subscriber’s location must be stored and updated in the system.
Second, subscriber mobility requires that services be available any place within a
home area and while roaming on partner networks.
The exchange of subscriber information between mobile carriers is done using SS7
messages, are commonly used by most operators. An attacker can be anywhere.
Messages can be sent from any country to any network. At the same time certain
message types must be passed to ensure roaming or long-distance communication.
Moreover, telephone communication systems are more and more integrated with IT
systems. A phone network node was once a “black box”, but now nodes are built on
popular hardware and software platforms (Linux, Solaris, and VxWorks).
An attacker’s profile
An attacker can be a person or a group of people sufficiently qualified to build a node
to emulate that of a mobile operator. To access an SS7 network, attackers can acquire
an existing provider’s connection on the black (underground) market and obtain
authorization to operate as a mobile carrier in countries with lax communications’
laws. In addition, any hacker who happens to work as a technical specialist at a
telecommunications operator, would be able to connect their hacking equipment to
the company’s SS7 network. In order to perform certain attacks, legitimate functions
of the existing communication network equipment must be used. There is also an
opportunity to penetrate a provider’s network through a cracked edge device (GGSN
or a femtocell).
Besides having different ways of accessing an SS7 network, attackers likely also have
different motives for doing so including performing fraudulent activities, obtaining
a subscriber’s confidential data or disrupting service for certain subscribers or the
whole network.
Page 5

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika:

Zgłoś jeśli naruszono regulamin